[Japanese]

JVNDB-2021-006117

Multiple vulnerabilities in IDEC PLCs

Overview

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.

* Unprotected transport of credentials (CWE-523) - CVE-2021-37400
* Plaintext storage of a password (CWE-256) - CVE-2021-37401
* Unprotected transport of credentials (CWE-523) - CVE-2021-20826
* Plaintext storage of a password (CWE-256) - CVE-2021-20827

Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported
the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.6 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-37400

CVSS V3 Severity:
Base Metrics:7.6 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2021-37401

CVSS V3 Severity:
Base Metrics:7.6 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2021-20826

CVSS V3 Severity:
Base Metrics:7.6 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2021-20827
Affected Products


IDEC
  • WindEDIT Lite v1.3.1 and earlier
  • WindLDR v8.19.1 and earlier
  • Data File Manager v2.12.1 and earlier
  • FC6A MICROSmart All-in-One CPU Module v2.32 and earlier
  • FC6A MICROSmart Plus CPU Module v1.91 and earlier
  • FC6B MICROSmart All-in-One CPU Module v2.31 and earlier
  • FC6B MICROSmart Plus CPU Module v2.31 and earlier
  • FT1A Controller SmartAXIS Pro/Lite v2.31 and earlier

For more information, refer to the information provided by the developer.
Impact

* An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37400

* An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37401

* An attacker may obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20826

* An attacker may obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20827
Solution

[Update the software]
Apply the appropriate software update according to the information provided by the developer.
* FC6A Series MICROSmart All-in-One CPU module v2.40 and later
* FC6B Series MICROSmart All-in-One CPU module v2.40 and later
* FC6A Series MICROSmart Plus CPU module v2.00 and later
* FC6B Series MICROSmart Plus CPU module v2.40 and later
* FT1A Series SmartAxix Pro/Lite v2.40 and later
* WindLDR v8.20.0 and later
* WindEDIT Lite v1.4.0 and later
* Data File Manager v2.13.0 and later

[Apply workarounds]
Applying the below workarounds may mitigate the impacts of these vulnerabilities.
* Restrict network appropriately to prevent the suspicious connection from untrusted devices
* Restrict the devices which can access PLCs
* Manage ZLD files appropriately

For more information, refer to the information provided by the developer.
Vendor Information

IDEC
CWE (What is CWE?)

  1. Unprotected Storage of Credentials(CWE-256) [Other]
  2. Unprotected Transport of Credentials(CWE-523) [Other]
CVE (What is CVE?)

  1. CVE-2021-37400
  2. CVE-2021-37401
  3. CVE-2021-20826
  4. CVE-2021-20827
References

  1. JVN : JVNVU#92279973
  2. National Vulnerability Database (NVD) : CVE-2021-20826
  3. National Vulnerability Database (NVD) : CVE-2021-20827
  4. National Vulnerability Database (NVD) : CVE-2021-37400
  5. National Vulnerability Database (NVD) : CVE-2021-37401
  6. ICS-CERT ADVISORY : ICSA-22-006-03
Revision History

  • [2021/12/27]
      Web page was published
  • [2022/1/11]
       References : Contents were added

Date Public2021/12/24
Date First Published2021/12/27
Date Last Updated2022/01/11